Got this sorted out and working, and thought I should share the two
pitfalls which were causing me problems.

First of all, unbelievably, the 500 Internal Server Error was being
caused by an extra carriage return between my last HTTP header and the
first multipart boundary. Seriously. I had two blank lines in there
instead of one. Removed the extra carriage return, and my 500
vanished, being replaced by a more reasonable "(401) Unauthorized -
Incorrect signature" error.

Secondly, the OAuth documentation seems a bit shaky when it comes to
multipart/form-data POSTs. But basically, you do NOT use any of the
POST parameters when creating your signature. And this includes all of
the OAuth-specific parameters like oauth_consumer_key,
oauth_signature_method, etc. Bit of a security hole imho, OAuth
implements all this complexity to avoid man-in-the-middle or replay
attacks, and as soon as you do a multipart POST it's all negated.

So, my signature base was literally:

POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml&

Just the HTTP method and the URL. No parameters.

Once I made that change to the signature generation, my request went
through fine and my avatar changed.

Hope this helps someone!

Cheers,
David...

Reply via email to